Attacker-defined Abstractions: Programming Benign System Functionality For Subversive Purposes

Research output: PhD ThesisPhD-Thesis - Research and graduation internal

249 Downloads (Pure)

Abstract

Abstractions are fundamental to software engineering. Modern systems are simply too complex for any single person to completely keep in their head, and abstractions are a great way to divide up required functionality into separate components. This allows for division of labor and simplifies reasoning about the correctness of parts of the system. However, hiding implementation details behind abstractions can conceal problems that implementations might have. On top of that, confusion about what exact functionality an abstraction provides can also lead to flaws that can be exploited by attackers. Exploit development is a software engineering discipline in itself, and as such, also often makes use of abstractions. While an attacker has to work with the implementations of their target system, they are not restricted to viewing this system through the same abstractions. Sometimes un(der)specified behaviors in the implementation of one abstraction, which in isolation seem innocuous, can interact with other parts of a system to create a new flaw, or exacerbate an existing one. This dissertation explores three ways in which unforeseen interactions between abstraction layers can lead to security vulnerabilities, or make them worse. First, we explore how the choice of implementation of an obscure part of UNIX/Linux operating system enables an exploitation technique called sigreturn oriented programming. It turns out that this gives attackers a lot of control over a program's execution state, simplifying writing exploits greatly. In some cases, it even allows for exploits that work regardless of what specific version of a vulnerable program is being exploited. Next, we examine the security implications of Memory Deduplication, a performance optimization commonly found in both virtualization environments and operating systems. Our work shows how Deduplication can be abused as a side-channel in a more powerful way than was previously known. Furthermore, by combining this side-channel to leak data, with a hardware flaw called Rowhammer to cause a useful corruption informed by this data, we show that it is possible to exploit a browser without making use of any flaws in that browser. Finally we combine Rowhammer and Deduplication in a different way to create a precise memory corruption primitive in a technique we call Flip Feng-shui. Here, Deduplication is used as a means to get more control over an otherwise random memory corruption. This enables us to corrupt cryptographic key material, and configuration files, and allows us to take over a virtual machine from another virtual machine that runs on the same hardware.
Original languageEnglish
QualificationPhD
Awarding Institution
  • Vrije Universiteit Amsterdam
Supervisors/Advisors
  • Bos, Herbert, Supervisor
  • Giuffrida, C, Co-supervisor
Award date19 Nov 2024
Print ISBNs9789464736120
DOIs
Publication statusPublished - 19 Nov 2024

Keywords

  • Exploitation
  • Weird Machines
  • Rowhammer
  • Memory Deduplication
  • Side-channels
  • Sigreturn Oriented Programming

Fingerprint

Dive into the research topics of 'Attacker-defined Abstractions: Programming Benign System Functionality For Subversive Purposes'. Together they form a unique fingerprint.

Cite this